From owner-freebsd-current@FreeBSD.ORG Thu Aug 5 04:40:30 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DA2816A4CE; Thu, 5 Aug 2004 04:40:30 +0000 (GMT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4C1943D3F; Thu, 5 Aug 2004 04:40:29 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.91] ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id i754eTWi097031 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 4 Aug 2004 21:40:29 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: freebsd-current@freebsd.org Date: Wed, 4 Aug 2004 21:39:52 -0700 User-Agent: KMail/1.6.1 References: In-Reply-To: MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408042139.52577.sam@errno.com> cc: Robert Watson Subject: Re: So much entropy it's coming out of our ears? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 04:40:30 -0000 On Wednesday 04 August 2004 08:56 pm, Robert Watson wrote: > Another observation is that we seem to be doing a lot of entropy > gathering. That is to say -- a lot. On a busy system, I have to wonder > whether we're not paying a high cost to gather more entropy than we really > need. I'm not familiar with the Yarrow implementation nor harvesting > bits, but I'd pose this question to you: right now, we appear to pay four > mutex operations per packet if the fifo isn't full. Can we rate limit > entropy gathering in entropy-rich systems to avoid doing so much work? If > we're processing 25,000 or 100,000 packets a second, that's a lot of goup > passing through Yarrow. Is it possible to do lockless rate limiting so > that we gather it only once every few seconds? This might make a big > aggregate difference when processing ethernet packets at a high rate, such > as in bridging/forwarding scenarios, etc. Virtually all performance-sensitive installations will disable entropy gathering through fast paths. I've suggested for a long time that this sort of collection should be enabled only under dire circumstances and never by default. Regardless the last time I looked at the entropy harvesting it used a model where entropy was unilateraly sent for harvest and discarded when too plentiful. I term this the "push model". I've advocated a "pull model" where the PRNG requests entropy when a low water mark is hit and/or a hybrid scheme where producers have some sort of flow control or feedback mechanism. Everything that goes on inside the PRNG is a separate issue. Sam